9 from keystoneauth1.identity import v3
10 from keystoneauth1 import session
11 from keystoneauth1.exceptions.http import Conflict
12 from keystoneclient import utils
13 from keystoneclient.v3 import client
15 sys.path.append('{{ lib_source_folder }}')
16 from access_management.db.amdb import AMDatabase
17 from access_management.cryptohelper.decryptaaafiles import DecryptAAAFile
21 config = ConfigParser.ConfigParser()
22 config.read("/{{ am_plugin_config_path }}")
23 config_dict = {s: dict(config.items(s)) for s in config.sections()}
28 logger = logging.getLogger("DBfiller")
29 shandler = logging.StreamHandler(sys.stdout)
30 shandler.setLevel(logging.DEBUG)
31 formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
32 shandler.setFormatter(formatter)
33 logger.addHandler(shandler)
34 logger.info("logger set")
38 def close_logger_handlers(logger):
39 for handler in logger.handlers:
40 logger.removeHandler(handler)
49 dir = "{{ am_server_values_dir }}"
50 for encrypted_file in os.listdir(dir):
51 if os.stat(os.path.join(dir, encrypted_file)).st_uid is not 0:
52 print "--- File: ", encrypted_file, "is not of root, skipping"
55 crypter = DecryptAAAFile("{{ am_server_temp_dir }}/am_pri_key.pem")
56 jsoned_content = crypter.decrypt_file(os.path.join(dir, encrypted_file))
57 for user in jsoned_content["users"]:
59 for role in jsoned_content["roles"]:
61 for permission in jsoned_content["permissions"]:
62 permissions.append(permission)
63 for user_role in jsoned_content["user_roles"]:
64 user_roles.append(user_role)
65 for role_permission in jsoned_content["role_permissions"]:
66 role_permissions.append(role_permission)
67 except M2Crypto.RSA.RSAError as ex:
68 print "Failed to decrypt file: {}, {}".format(encrypted_file, str(ex))
69 except Exception as ex:
70 print "File {} failed with error: {}".format(encrypted_file, str(ex))
71 users = map(list, set(map(tuple, users)))
72 roles = map(list, set(map(tuple, roles)))
73 permissions = map(list, set(map(tuple, permissions)))
74 user_roles = map(list, set(map(tuple, user_roles)))
75 role_permissions = map(list, set(map(tuple, role_permissions)))
76 return {"users": users, "roles": roles, "permissions": permissions, "user_roles": user_roles, "role_permissions": role_permissions}
79 def get_db_content(db):
81 users = db.get_user_table()
82 roles = db.get_role_table()
83 permissions = db.get_resource_table()
84 user_roles = db.get_user_role_table()
85 role_permissions = db.get_role_resource_table()
86 return {"users": users, "roles": roles, "permissions": permissions, "user_roles": user_roles, "role_permissions": role_permissions}
89 def compare_contents(db_content, files_content):
90 update_needed = {"roles":[], "permissions":[]}
91 adding_needed = {"users":[], "roles":[], "permissions":[], "user_roles":[], "role_permissions":[]}
92 for file_user in files_content["users"]:
93 if check_user_value(file_user, db_content["users"]):
94 print "User " + file_user[0] + " is ok"
96 print "User " + file_user[0] + " needs to be added"
97 adding_needed["users"].append(file_user)
99 for file_role in files_content["roles"]:
100 result = check_role_value(file_role, db_content["roles"])
101 if result == "update":
102 if file_role[2] == "True":
104 if file_role[2] == "False":
106 update_needed["roles"].append(file_role)
107 elif result == "add":
108 print "Role " + file_role[0] + " needs to be added"
109 if file_role[2] == "True":
111 if file_role[2] == "False":
113 adding_needed["roles"].append(file_role)
114 if file_role[2] == 1:
115 adding_needed["role_permissions"].append([file_role[0],"am/users/keys","POST"])
116 adding_needed["role_permissions"].append([file_role[0],"am/users/keys","DELETE"])
117 print "am/users/keys permissions also needs to be added for role " + file_role[0]
119 print "Role " + file_role[0] + " is ok"
121 for file_permission in files_content["permissions"]:
122 result = check_permission_value(file_permission,db_content["permissions"])
123 if result == "update":
124 print "Permission " + file_permission[0] + ":" + file_permission[1] + " needs update due to changed description"
125 update_needed["permissions"].append(file_permission)
126 elif result == "add":
127 print "Permission " + file_permission[0] + ":" + file_permission[1] + " needs to be added"
128 adding_needed["permissions"].append(file_permission)
130 print "Permission " + file_permission[0] + ":" + file_permission[1] + " is ok"
132 for file_user_role in files_content["user_roles"]:
133 if not check_user_role_value(file_user_role, db_content["user_roles"]):
134 adding_needed["user_roles"].append(file_user_role)
136 for file_role_permission in files_content["role_permissions"]:
137 if not check_role_permission_value(file_role_permission, db_content["role_permissions"]):
138 adding_needed["role_permissions"].append(file_role_permission)
140 return (update_needed, adding_needed)
143 def check_user_value(file_content, db_content):
144 for db_user in db_content:
145 if file_content[0] == db_user["name"]:
150 def check_permission_value(file_content, db_content):
151 for db_permission in db_content:
152 if file_content[0] == db_permission["path"] and file_content[1] == db_permission["op"]:
153 if file_content[2] == db_permission["desc"]:
160 def check_role_permission_value(file_content, db_content):
161 for db_role_permission in db_content:
162 if file_content[0] == db_role_permission["name"] and file_content[1] == db_role_permission["path"] and file_content[2] == db_role_permission["op"]:
163 print "Role_permission " + file_content[0] + ":" + file_content[1] + ":" + file_content[2] + " is ok"
165 print "Role_permission " + file_content[0] + ":" + file_content[1] + ":" + file_content[2] + " needs to be added"
169 def check_user_role_value(file_content, db_content):
170 for db_user_role in db_content:
171 if file_content[0] == db_user_role["user_name"] and file_content[1] == db_user_role["role_name"]:
172 print "User_role " + file_content[0] + ":" + file_content[1] + " is ok"
174 print "User_role " + file_content[0] + ":" + file_content[1] + " needs to be added"
178 def check_role_value(file_content, db_content):
179 for db_role in db_content:
180 if file_content[0] == db_role["name"]:
181 if file_content[1] != db_role["desc"]:
182 print "Role " + file_content[0] + " needs update due to changed description"
184 if file_content[2] != str(db_role["is_chroot"]):
185 print "Role " + file_content[0] + " needs update due to changed is_chroot"
191 def update_tables(db, update_needed):
193 for row in update_needed["roles"]:
194 db.set_role_param(row[0],row[1],row[2])
195 print "Role {} updated".format(row[0])
196 for row in update_needed["permissions"]:
197 db.update_resource(row[0],row[1],row[2])
198 print "Permission {0}:{1} updated".format(row[0], row[1])
199 except Exception as ex:
205 def add_into_tables(db, adding_needed, config):
207 keystone = make_keystone_auth(config)
208 for row in adding_needed["users"]:
209 uuid = get_resource_id(keystone, "users", row[0])
210 create_db_user(db, uuid, row[0])
211 for row in adding_needed["roles"]:
213 role_id = keystone.roles.create(row[0])
214 print "Role {} created in Keystone".format(row[0])
215 except Conflict as ex:
216 print "Role {} already in Keystone".format(row[0])
217 db.create_role(row[0],row[1],row[2])
218 print "Role {} created in DB".format(row[0])
219 for row in adding_needed["permissions"]:
220 db.create_resource(row[0],row[1],row[2])
221 print "Permission {} created in DB".format(row[0])
222 for row in adding_needed["user_roles"]:
224 project_id = get_resource_id(keystone, "projects", "{{ am_project_name }}")
225 role_id = get_resource_id(keystone, "roles", row[1])
226 uuid = db.get_user_uuid(row[0])
227 if row[1] == "infrastructure_admin":
228 admin_project_id = get_resource_id(keystone, "projects", "admin")
229 admin_role_id = get_resource_id(keystone, "roles", "admin")
230 heat_role_id = get_resource_id(keystone, "roles", "heat_stack_owner")
231 keystone.roles.grant(admin_role_id, user=uuid, project=admin_project_id)
232 keystone.roles.grant(heat_role_id, user=uuid, project=admin_project_id)
233 keystone.roles.grant(role_id, user=uuid, project=project_id)
234 print "Role {} added to user {} in Keystone".format(row[1], row[0])
235 except Conflict as ex:
236 print "Role {} already at user {} in Keystone".format(row[1], row[0])
237 db.add_user_role(uuid, row[1])
238 print "Role {0} added to user {1} in DB".format(row[1], row[0])
239 for row in adding_needed["role_permissions"]:
240 db.add_resource_to_role(row[0], row[1], row[2])
241 print "Permission {0}:{1} added to role {2} in DB".format(row[1], row[2], row[0])
242 except Exception as ex:
249 def create_db_user(db, uuid, name):
250 if name == "{{ infrastructure_admin_user_name }}" or name == "admin":
251 db.create_user(uuid, name)
253 db.create_user(uuid, name, service=True)
254 print "User {} created in DB".format(name)
257 def get_resource_id(keystone, resource_type, resource_name):
258 res_type = getattr(keystone,resource_type)
259 resource = utils.find_resource(res_type, resource_name)
263 def make_keystone_auth(config):
265 auth_url="{{ keystone_service_internalurl }}",
266 username="{{ keystone_admin_user_name }}",
267 password="{{ keystone_auth_admin_password }}",
268 project_name="{{ keystone_admin_tenant_name }}",
269 project_domain_id="{{ am_project_domain }}",
270 user_domain_id="{{ am_project_domain }}")
271 sess = session.Session(auth=auth)
272 keystone = client.Client(session=sess)
273 print "+++ Keystone authentication OK"
278 config = get_config()
279 logger = set_logger()
280 logger.info("logger set")
281 db = AMDatabase(db_name=config["DB"]["name"], db_addr=config["DB"]["addr"],
282 db_port=int(config["DB"]["port"]), db_user=config["DB"]["user"],
283 db_pwd=config["DB"]["pwd"], logger=logger, management_mode=True)
285 thime = time.strftime("%Y/%m/%d %H:%M:%S", time.localtime())
286 print "*** Start time " + thime + " ***"
287 print "+++ Connection to database successful"
288 db_content = get_db_content(db)
289 print "+++ DB dump acquired"
290 files_content = read_files()
291 print "+++ Value files read"
292 update_needed, adding_needed = compare_contents(db_content, files_content)
293 print "+++ Comparation done"
294 result = update_tables(db, update_needed)
296 print "+++ Updating tables completed"
298 print "--- Problem during updating tables"
299 result = add_into_tables(db, adding_needed, config)
301 print "+++ Adding to tables completed"
303 print "--- Problem during table additions"
305 print "+++ Aaand done"
306 thime = time.strftime("%Y/%m/%d %H:%M:%S", time.localtime())
307 print "*** End time " + thime + " ***"
308 close_logger_handlers(logger)
311 if __name__ == '__main__':